PSEXEC Remote Execution File Artefact

calendar Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.execution attack.persistence attack.t1136.002 attack.t1543.003 attack.t1570 attack.s0029  ·
Share on: linkedin copy

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Sigma rule (View on GitHub)

 1title: PSEXEC Remote Execution File Artefact
 2id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
 3status: test
 4description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
 5references:
 6    - https://aboutdfir.com/the-key-to-identify-psexec/
 7    - https://twitter.com/davisrichardg/status/1616518800584704028
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-01-21
10modified: 2023-02-23
11tags:
12    - attack.lateral-movement
13    - attack.privilege-escalation
14    - attack.execution
15    - attack.persistence
16    - attack.t1136.002
17    - attack.t1543.003
18    - attack.t1570
19    - attack.s0029
20logsource:
21    category: file_event
22    product: windows
23detection:
24    selection:
25        TargetFilename|startswith: 'C:\Windows\PSEXEC-'
26        TargetFilename|endswith: '.key'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: high

References

  • The Key to Identify PsExec - AboutDFIR - The Definitive Compendium Project

    In one way or another, PsExec - a wildly popular remote administration tool in the Microsoft SysInternals Suite, peeks its head in the wild. Threat actors tend to leverage PsExec for various reasons such as executing programs on a remote host in a victim’s environment or for more nefarious reasons such as deploying ransomware. The focus of this blog is to bring attention to a relatively new method in identifying the source host in which PsExec was executed from. This is something that has caught my attention on a few IR engagements that I have worked on recently. Huge shoutout to Joseph Ziemba for first bringing this to my attention on one of our ransomware engagements we worked on together at KPMG.


    Read More

  • x.com


    Read More

Related rules

to-top